Data Policy

Cruze Cart stores only the minimum data necessary to operate the service. The following information is stored in our database (powered by Supabase):

• Username — your chosen display name
• Email address — used for account login and service communications
• Account metadata — account creation date, last sign-in timestamp, subscription status
• Partner/advertiser data — business name, ad content, and campaign settings for users of the partner portal

We do not store:

• Credit card numbers or bank account details
• Passwords in plain text
• Precise GPS location history

User authentication is powered by Supabase, an open-source backend platform. When you create an account or sign in, your credentials are handled through Supabase's authentication service.

• Passwords are hashed using bcrypt — never stored in plain text
• Session tokens are encrypted and stored securely
• Supabase stores your email and encrypted password in their managed database
• Supabase's infrastructure is hosted on AWS and is compliant with SOC 2 Type II

Supabase's privacy policy is available at supabase.com/privacy.

All payment processing is handled by Stripe, a PCI-DSS Level 1 certified payment processor.

Cruze Cart does not store any payment information in our database. We never see, handle, or store your credit card number, CVV, expiration date, or bank account details. All payment data is transmitted directly from your device to Stripe's secure servers.

• We store only a Stripe Customer ID (an opaque reference token) to associate your account with your Stripe billing record
• Subscription status (active, canceled, etc.) is stored in our database to grant or revoke app access
• No full card numbers, CVVs, or bank details ever touch our servers

Stripe's privacy policy is available at stripe.com/privacy.

The Cruze Cart iOS app uses Apple Maps (MapKit) to render maps, display cart path overlays, and provide turn-by-turn navigation.

• Map tile data and geocoding requests are sent to Apple's servers as part of normal MapKit operation
• Apple may collect anonymized location data in accordance with their privacy policy
• Cruze Cart does not receive or store any data from your MapKit interactions

Apple's privacy policy is available at apple.com/legal/privacy.

The Cruze Cart app accesses your device's GPS location to provide real-time navigation. Location data is processed entirely on your device and is not transmitted to or stored on Cruze Cart's servers. You can revoke location permissions at any time in your device's Settings app; however, doing so will prevent navigation features from working.

Our database is hosted on Supabase (AWS infrastructure) with the following protections in place:

• All data in transit is encrypted using TLS 1.2+
• All data at rest is encrypted using AES-256
• Database access is restricted by row-level security policies
• API access requires authenticated JWT tokens

You may request deletion of your account and all associated data at any time by emailing [email protected]. We will process deletion requests within 30 days. Note that Stripe retains billing records for their own legal and compliance purposes even after account deletion; please refer to Stripe's data retention policy for details.

We may update this Data Policy as we add or change the services we use. When we make material changes, we will update the effective date above and notify you where appropriate.